Cybersecurity researchers at Elastic Security Labs have identified a highly advanced Brazilian banking trojan named TCLBANKER (tracked as REF3076). Representing a major evolution of the Maverick and SORVEPOTEL families, this malware doesn’t just sit on a victim’s machine—it actively works to spread itself using sophisticated worm modules.
By hijacking legitimate communication channels like WhatsApp Web and Microsoft Outlook, TCLBANKER bypasses traditional security filters by sending malicious links through trusted, compromised accounts.
The Attack Vector: Abusing Trusted Software
The infection process begins with a “Trojanized” installer bundled in a ZIP file. The attackers utilize a technique known as DLL side-loading to hide their activity within legitimate software.
- The Decoy: The malware abuses a real, digitally signed Logitech program called Logi AI Prompt Builder.
- The Switch: When the user runs the installer, the legitimate Logitech application is tricked into loading a malicious file (
screen_retriever_plugin.dll) instead of its standard components. - Stealth Tactics: TCLBANKER is “environmentally aware.” It checks for sandboxes, virtual machines, and antivirus software. Crucially, it verifies if the victim is in Brazil by checking system language and time zones. If the criteria aren’t met, the payload remains encrypted to evade automated analysis.
Weaponized Worm Modules
What sets TCLBANKER apart is its ability to spread autonomously once it gains a foothold.
1. The WhatsApp Web Module
Instead of the usual phishing tactics, the malware targets active WhatsApp Web sessions on browsers like Chrome or Edge.
- Session Hijacking: It clones saved session data to open a hidden browser window, bypassing the need for a QR code scan.
- Trusted Phishing: It sends malicious messages and ZIP files directly to the victim’s contacts. Because the message originates from a known friend, the infection rate is significantly higher.
2. The Microsoft Outlook Module
The second worm module targets corporate environments via Microsoft Outlook.
- Automation Takeover: Using Windows COM automation, the bot takes control of the email account in the background.
- Inbox Harvesting: It scans the address book and inbox to draft and send new phishing emails from the victim’s real email address, easily bypassing spam filters.
The Heist: Full-Screen Overlays
Once TCLBANKER detects the user visiting any of 59 targeted banking or crypto websites, it initiates its final stage. It uses Windows Presentation Foundation (WPF) to create full-screen overlays that:
- Mimic Official Screens: The overlays look identical to real bank prompts or Windows Update screens.
- Lock the System: They freeze the desktop and block keyboard shortcuts (like the Windows key or Escape).
- Disable Capture: They turn off screen-recording tools, forcing the user to enter sensitive security codes directly into the attacker’s interface.
Indicators of Compromise (IoCs)
Security teams should monitor for the following indicators and unusual background processes originating from Logitech applications.
| Type | Indicator (Defanged) | Description |
| SHA-256 | 701d51b7be8b034c860bf97847bd59a8... | screen_retriever_plugin.dll (Loader) |
| SHA-256 | 63beb7372098c03baab77e0dfc8e5dca... | Initial TCLBANKER ZIP file |
| Domain | campanha1-api.ef971a42[.]workers.dev | TCLBanker C2 (Cloudflare) |
| Domain | documents.ef971a42.workers[.]dev | File server for payloads |
